IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 2, Ver. V (Mar-Apr. 2014), PP 11-16 www.iosrjournals.org www.iosrjournals.org 11 | Page Study on Pagefile.sys in Windows System Nisarg Trivedi Institute of Forensic Science, Gujarat Forensic Sciences University, Gujarat, India Abstract: Pagefile.sys is a file that is used by Microsoft Windows to store frames of memory that do not currently fit into physical memory. It means Windows uses a page file to store data that can’t be held by your computer’s random-access memory when it fills up. Analysis of the Pagefile.sys gives the information of which events were done on PC. Analysis of Pagefile.sys can give the sensitive information such as User Ids, Passwords, Hidden Processes, Download info, Search Activity of Browser etc. This Paper represents various approaches and tools used to capture and analyze data from Pagefile.sys. Keywords: Physical Memory, Artifacts in Pagefile.sys, Sensitive information. I. Introduction Windows uses part of your hard drive space as "virtual memory" [7] . It loads what it needs to load into the much faster RAM (random access memory) memory, but creates a swap or page file on the hard drive that it uses to swap data in and out of RAM [7] . Pagefile.sys is located on the root of C: drive (or in where the Operating System is installed) and is named as pagefile.sys, but it is a hidden system file so you won't see it unless you have changed your file viewing settings to show hidden and system files [7] . Pagefile.sys is a windows system files, acts as swap file and was designed to improve performance [8] . Virtual memory allows Windows to open more windows and run more programs simultaneously while only keeping the one being actively used in RAM [7] . The "problem" lies in the fact that information remains in the page file. As you use different programs and perform different functions on your computer the page file may end up containing all sorts of potentially sensitive or confidential information [7] . Event Log Records, like other data, may be found within the Pagefile or within unallocated space [1] . II. Myth about Pagefile.sys Disabling the Page File Improves Performance [3] . Some people will tell you that you should disable the page file to speed up your computer [3] . The thinking goes like this: the page file is slower than RAM, and if you have enough RAM, Windows will use the page file when it should be using RAM, slowing down your computer [3] . This isn’t really true. People have tested this theory and found that, while Windows can run without a page file if you have a large amount of RAM, there’s no performance benefit to disabling the page file [3] . However, disabling the page file can result in some bad things [3] . If programs start to use up all your available memory, they’ll start crashing instead of being swapped out of the RAM into your page file [3] . This can also cause problems when running software that requires a large amount of memory, such as virtual machines [3] . Some programs may even refuse to run [3] . In summary, there’s no good reason to disable the page file – you’ll get some hard drive space back, but the potential system instability won’t be worth it [3] . Note that Cleaning the pagefile.sys at system shutdown increases the performance of the system [6] . III. Management of Pagefile.sys Figure 1: Location of Pagefile.sys in Computer System
6
Embed
Study on Pagefile.sys in Windows System - IOSR … on Pagefile.sys in Windows System Nisarg Trivedi Institute of Forensic Science, Gujarat Forensic Sciences University, Gujarat, IndiaAuthors:
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.